At present, there is a growing volume of malicious programs (such as computer viruses, Trojan horses, network worms) designed to inflict harm both to the data of a user and to the actual user of the electronic device infected by the malicious program. The harm may be caused by damaging or deleting user files, using the resources of the user's computing device for “mining” of cryptocurrencies, theft of electronic and confidential user data (correspondence, images, logins, passwords, bank card information) and other actions. Moreover, malicious software is constantly changing, since its creators are employing ever new mechanisms of attack and defense against security applications. Various mechanisms are used, such as obfuscation (in other words, converting the source text or executable code of a program to a form preserving its functionality, but resisting analysis, an understanding of the working algorithms, and modification upon decompilation, for example) of the malicious code or the use of emulation resistant mechanisms (for example, the malicious program is given the ability to recognize when it is being executed in an emulator, and it does not reveal its harmful activity).
Furthermore, a malicious program often does not reveal its malicious activity at once, but instead it performs a number (in the order of millions) of API function calls, enormous cycles (in the order of billions of iterations), and halts its working for a certain time immediately after being launched (e.g., 1 hour of using the “Sleep( )” function). The modern computing devices of users have high performance, multi-core processors (and also multiprocessor systems), and therefore the user might not notice or pay attention to the workload of one of the cores. Moreover, a user normally uses the device after it has been turned on for longer than one hour. Therefore, if it has been started up, there is no need for a malicious program to manifest its activity at once.
In order to deal with the mentioned techniques, the makers of security applications (such antivirus applications) employ detection methods that use virtual machines in the form of an isolated environment for safe execution of files. Often, such virtual machines are known as sandboxes. The hypervisors under whose control such virtual machines run contain mechanisms for intercepting the functions being carried out by applications which are being executed therein.
It should be noted that security applications employ various methods for determining a malicious program, such as signature and/or heuristic analysis technologies. If in the course of the analysis a file was not determined to be malicious, it may be handed over by the security application for analysis of its behavior to the aforementioned virtual machine (e.g., if it does not have a digital signature of a trusted software maker). The file handed over is then executed in the virtual machine, and in the course of its execution its actions and events being carried out by the different function calls are intercepted, the intercepted events and actions are saved in a log, and afterwards analyzed by the security application or an expert in information security.
Thus, the known systems for interception and aggregation of events and actions work in two steps. In the first step, information is gathered; in the second step, it is analyzed.
The drawback of the known systems and methods is that they do not affect the execution process in the course of execution of the file. For example, if a process launched from a file being analyzed (or from an application which opened the file being analyzed) has halted its execution for an hour or is attacking a certain email client or messenger (a program for exchange of messages) by accessing a file with saved passwords, the program being attacked will be absent from the virtual machine, and the maliciousness of the file behavior will not be discovered (since, not having found the required file with passwords, the malicious file will terminate its execution by itself and will not reveal its malicious activity).